Protocol Vulnerabilities

Many protocols contain common vulnerabilities that may be exploited, including Secure Sockets Layer (SSL) connections and Lightweight Directory Access Protocol (LDAP).

SSL/TLS

Transport Layer Security (TLS) including SSL-encapsulated data transfer may be exploited in many ways. The encapsulated data stream could potentially be compromised through cryptographic identification of the key, although modern 128-bit keys are considered to be beyond a reasonable level of encryption.

SSL connections are also particularly vulnerable during the handshake process, where the client and server exchange details of the shared encryption keys to be used. Malformed certificates may be used to exploit the parsing libraries used by SSL agents to compromise security details and possibly execute code on the compromised system. In addition, many forms of buffer overrun may also be used during the SSL handshake process to compromise the secured connection.

In the fall of 2002, the Linux Slapper worm infected about 7,000 servers. The worm exploited a flaw in SSL on Linux-based Web servers. To read more on this, go to www.cert.org/advisories/CA-2002-27.html or news.com.com/2100-1001-958758.html.

The premise behind this vulnerability is that the handshake process during an SSL server connection can cause a buffer overflow by a client using a malformed key.

LDAP

Lightweight Directory Access Protocol (LDAP) provides access to directory services, including the one used by Microsoft's Active Directory. Exploits against variations of this protocol share many common vulnerabilities, including the following:

• Buffer overflow vulnerabilities may be used to enact arbitrary commands on the LDAP server. For example, an LDAP advisory was issued in 1999 for an exploit in Microsoft's Directory Services. This was a buffer overflow exploit that occurred during the LDAP binding process. For more information, visit ciac.llnl.gov/ciac/ bulletins /j-036.shtml.

• Format string vulnerabilities may result in unauthorized access to enact commands on the LDAP server or impair its normal operation.

• Improperly formatted requests may be used to create an effective denial of service (DoS) attack against the LDAP server, preventing it from responding to normal requests . For example, Cisco's Call Manager had a security advisory notice posted in early 2002. There was a memory leak associated with systems integrated with customer directories that did not validate passwords. For more information on this, go to www.cisco.com/warp/public/707/callmanager-ctifw-leak-pub.shtml.

LDAP utilizes an object-oriented access model defined by the Directory Enabled Networking (DEN) standard, which is based on the Common Information Model (CIM) standard.